-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(iam): oidc provider fetches leaf certificate thumbprint instead of root #22924
Merged
Commits on Nov 14, 2022
-
chore(eks): Integ Test for OIDCP Certificate Retrieval (#22608)
This adds an integ test which verifies that granting permissions to a service account enables any Kubernetes pods using it to perform AWS API calls. If the OIDC provider for that cluster is using the wrong thumbprint, this will fail. ---- * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Configuration menu - View commit details
-
Copy full SHA for e3a423a - Browse repository at this point
Copy the full SHA e3a423aView commit details -
fix(iam): oidc provider fetches leaf certificate thumbprint instead o…
…f root (#22802) Currently, the implementation of the OIDC provider custom resource fetches the certificate chain using: https://github.com/aws/aws-cdk/blob/9bde9f3149cbfa6e7b97204f54e7cef5c9127971/packages/%40aws-cdk/aws-iam/lib/oidc-provider/external.ts#L40 It then extracts the root certificate by detecting a circular reference in the `cert.issuerCertificate` property. https://github.com/aws/aws-cdk/blob/9bde9f3149cbfa6e7b97204f54e7cef5c9127971/packages/%40aws-cdk/aws-iam/lib/oidc-provider/external.ts#L46 As it turns out, this results in the wrong certificate being extracted. I observed this while running an [EKS integration test](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-eks/test/integ.eks-service-account-sdk-call.ts). The current certificate thumbprint that is extracted is: `AD7E1C28B064EF8F6003402014C3D0E3370EB58A`. While the expected thumbprint is: `9E99A48A9960B14926BB7F3B02E22DA2B0AB7280`. (this is the value we used to [hardcode](https://github.com/aws/aws-cdk/blob/v2.50.0/packages/%40aws-cdk/aws-eks/lib/oidc-provider.ts#L49)) The [recommended way](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html) for extracting the correct thumbprint according to AWS is using `openssl s_client -showcerts`. When I tried this, I did in fact see that the last certificate returned by this command has the correct thumbprint. During investigation, I noticed that `socket.getPeerCertificate(true)` returns another additional certificate, acting as the root one. This is aligned with what the [comment](#8607 (comment)) made in the original issue. This additional certificate is not the correct one, and we should be using the one just before it in the chain. There is however no way to detect that "second to last" certificate in this way, because it doesn't resolve to a circular reference. After some digging, I switched the implementation to use `socket.getPeerX509Certificate()`, a new method that only exists in Node16. This method skips over the incorrect certificate, and results in the correct thumbprint. <img width="539" alt="Screen Shot 2022-11-06 at 10 04 51 PM" src="https://user-images.githubusercontent.com/1428812/200195623-6735377b-a82f-472f-884d-7bec450c32c6.png"> Fixes #8607 ---- * [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Configuration menu - View commit details
-
Copy full SHA for a65e52c - Browse repository at this point
Copy the full SHA a65e52cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 481eedc - Browse repository at this point
Copy the full SHA 481eedcView commit details
Commits on Nov 15, 2022
-
Configuration menu - View commit details
-
Copy full SHA for e8c4566 - Browse repository at this point
Copy the full SHA e8c4566View commit details
Commits on Nov 16, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 3ca3e08 - Browse repository at this point
Copy the full SHA 3ca3e08View commit details -
Configuration menu - View commit details
-
Copy full SHA for ec00364 - Browse repository at this point
Copy the full SHA ec00364View commit details -
Configuration menu - View commit details
-
Copy full SHA for 253f324 - Browse repository at this point
Copy the full SHA 253f324View commit details -
Configuration menu - View commit details
-
Copy full SHA for f4204a1 - Browse repository at this point
Copy the full SHA f4204a1View commit details -
Configuration menu - View commit details
-
Copy full SHA for fc59b5a - Browse repository at this point
Copy the full SHA fc59b5aView commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.